Fitness brand Garmin paid millions of dollars in ransom after an attack took many of its products and services offline last month, Sky News reports. The payment was reportedly made through a ransomware negotiation company called Arete IR, in order for Garmin to recover data held hostage as a result of the attack.
BleepingComputer reported last week that Garmin had received a decryption key to access data encrypted by the virus, and that the initial ransom demand was for $10 million.
The attack itself began on July 23rd, and put Garmin’s wearables, apps, website, and even its call centers offline for several days. Garmin confirmed that it had been the victim of a cyberattack on July 27th, as many of its services were starting to come back online. Its statement did not say whether it had paid a ransom in response to the attack, but noted that no customer data was accessed, lost, or stolen.
Early on, reports suggested that the fitness brand had been hit by a strain of ransomware called WastedLocker, which is believed to have been developed by individuals linked to a Russia-based hacking group. The group, known as Evil Corp, was placed under sanctions by the US Treasury last December, and Sky News reports that one ransomware negotiation company declined to work with Garmin to resolve the incident over fears of breaking those sanctions.
Arete IR declined to confirm to Sky News whether it had worked with Garmin to respond to the incident citing “contractual confidentiality obligations to all clients.” The firm said that it “follows all recommended and required screenings to insure compliance with US trade sanctions laws.” On July 24th, Arete IR tweeted a white paper disputing reports of a link between WastedLocker and Evil Corp. A representative from the company did not immediately respond to The Verge’s request for comment.
WastedLocker is a new variant of #ransomware that was initially reported in May and is rumored to have come from the "Evil Corp" group. In this insight, we discuss the four main reasons why Arete experts determined this theory to be inconclusive. (https://t.co/fZUmHCXMMn) pic.twitter.com/hvdMNEEVpe— Arete Incident Response (@Arete_Advisors) July 24, 2020
The US government has not publicly attributed WastedLocker to the individuals it placed under sanction in December, Sky News reports, and since the software was developed after the sanctions were announced it does not appear in the original announcement.
BleepingComputer reports that it believes Garmin must have paid the ransom because of the lack of known weaknesses in the WastedLocker virus. Code from a Garmin-developed executable reviewed by BleepingComputer suggests the company paid the ransom on either July 24th or July 25th, and the publication confirmed that the executable was able to decrypt sample files encrypted by WastedLocker.
When contacted, a spokesperson from Garmin pointed The Verge towards its previous statement made on July 27th, and added that it could not comment on any additional details.
Update August 4th, 11:39AM ET: Updated with Garmin’s response.